On April 29 2024, regulations enforcing consumer protections against hacking and cyber-attacks have taken effect, mandating that internet-connected smart devices meet minimum-security standards by law.
Consumer connectable products can connect to the internet or other networks, and can transmit and receive digital data. Examples of these products include smartphones, smart TVs, smart speakers, connected baby monitors and connected alarm systems. They are also known as consumer “Internet of Things” devices (“IoT”) or consumer “smart” devices.
Insecure products can be used in ways not intended by the consumer, such as the case of security cameras being compromised in Singapore. In addition, insecure products can act as the “point of entry” across a network, enabling attackers to access valuable information, such as the attackers who were able to access a US casino’s customers’ details via a connected thermometer in a fish tank.
Devices can be compromised at scale as part of DDoS or “botnet” attacks. For example, in 2016, cyber criminals compromised 300,000 products with the Mirai malware. The attackers utilised the collective computing power to successfully disrupt the service of many news and media websites including the BBC and Netflix. The Mirai malware was able to penetrate so many devices due to widespread weak security features (such as default passwords).
Regulatory Activity to Date
Government activities to regulate the IoT and connected devices market have effectively began back in 2018 when The Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), developed a Code of Practice for consumer IoT security, setting out thirteen outcome-focussed guidelines to ensure that IoT products are secure by design, in order to protect consumer’s privacy and safety.
The Government also worked with the European Telecommunications Standards Institute (ETSI) to create a new globally applicable standard for IoT security, which lead to the drafting of ETSI EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements – consistent with the thirteen principles of the UK’s Code of Practice. Adopted in June 2020, ETSI EN 303 645 is the first globally applicable technical standard for the cyber security of consumer connectable products.
Following a Call for Views in July 2020, it became evident that, to improve and regulate cyber security of consumer connectable products, widespread compliance to priority security requirements from ETSI EN 303 645 would have the greatest impact in protecting UK consumers.
With yesterday’s announcement, three requirements (out of the thirteen specified in the ETSI standard) have become mandatory for manufacturers of smart products. These are:
- Security Requirement 1 Ban universal default passwords and easily guessable default passwords.
- Security Requirement 2 Mandate that manufacturers make available information on how to report security vulnerabilities.
- Security Requirement 3 Mandate that manufacturers provide transparency on for how long, at a minimum, the product will receive security updates.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.
Securing Your Devices
Gemserv has significant experience in supporting manufacturers of smart devices securing their products. Our Connected Devices experts can help organisations navigate the complex regulatory landscape and support product development activities, ensuring that effective mitigation actions are implemented, and that security requirements and obligations are met.